7 1.0 Common Policy Elements 1.1 Introduction and Scope Information is a valuable asset that must be protected from unauthorized disclosure, modification, use or destruction. Prudent steps must be taken to ensure that its confidentiality, integrity and availability are not compromised. This document provides a uniform set of information security standards for using Hillsborough County (hereafter referred to as the County or County ) technology resources. In addition to defining roles and responsibilities, information security standards raise awareness of users to the potential risks associated with access to and use of information technology. Employee awareness through dissemination of the standards helps accelerate the development of new application systems and ensure the consistent implementation of controls for information systems. County information security standards are based upon the internationally accepted ISO information security standard framework. The standards are designed to comply with applicable laws and regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The standards should be considered minimum requirements for providing a secure environment for developing, implementing and supporting information technology and systems. Associated standards listed must be adhered to by departments unless specifically granted an exception (described below in section 1.4). Departments may develop detailed procedures to handle department-specific cases, provided they adhere to the standard that they support. 1.2 Authority Article II, Section 6(o), of the Hillsborough County Administrative Code (Ordinance 85-35), as amended, empowers the County Administrator to issue and enforce such administrative orders, rules or guidelines as necessary to give appropriate effect to the Charter, Administrative Code, and ordinances of the County; and maintain a complete compilation of all such administrative orders, rules, and regulations. 1.3 Enforcement Individual county departments will be responsible for developing detailed procedures to comply with these security standards. The standards will guide periodic security reviews by ITS, as well as audits by the Internal Audit department of the Clerk of the Circuit Courts or the County s Internal Performance Auditor. Violators of these standards may be subject to employee disciplinary procedures. Departments may impose sanctions upon their employees, within accepted County guidelines, for violations of these standards. 1.4 Exceptions Exceptions to a standard must be approved by the Assistant County Administrator, with review by the Information Security group in ITS. In each case, the department or vendor must include such items as the need for the exception, the scope and extent of the exception, the safeguards to be implemented to mitigate risks, specific timeframe for the exception, organization requesting the exception, and the management approval. 7

8 2.0 Terms and Definitions This section defines some of the terms used throughout the document. Policy A course of action or behavior that is followed; a high-level plan embracing goals and acceptable procedures. Standard A specific approach, solution, methodology, product or protocol supporting a policy that must be adhered to for establishing uniformity. While policies are intended to last for an indefinite period, standards may change more often because the manual procedures, organizational structures, business processes and information systems technologies mentioned in standards change so rapidly. Procedure A set of administrative instructions for implementation of a standard; a particular way of accomplishing something. Procedures are sometimes called standard operating procedures or department operating procedures. Procedures are specific operational steps that are used to complete a task or achieve a goal. 8

10 4.0 Risk Assessment and Treatment 4.1 Assessing Security Risks Risk Assessments Risk assessments should be performed periodically to address changes in the security requirements and in the risk situation, e.g. in the assets, threats, vulnerabilities, impacts, the risk evaluation, and when significant changes occur Risk assessments should be undertaken in a methodical manner capable of producing comparable and reproducible results Risk assessments should have a clearly defined scope in order to be effective. 10

11 5.0 Security Policy 5.1 Information Security Policy Information Security Commitment Statement Information is a valuable County asset and must be protected from unauthorized disclosure, modification, or destruction. Prudent information security policies, standards and procedures must be implemented to ensure that the integrity, confidentiality and availability of County information are not compromised Security Responsibility, Review and Evaluation ITS is responsible for establishing and managing the security of all systems. Periodically, ITS will review the most current best practices regarding the use of technology and will amend and/or issue new policies, standards, and/or controls to reflect the most appropriate solution for security of County information User Responsibility County information technology resources are provided to authorized users to facilitate the efficient and effective performance of their duties in a secure electronic environment. The use of such resources imposes certain responsibilities and obligations on users and is subject to County policies. It is the responsibility of users to ensure that such resources are not misused. 11

12 6.0 Organizational Security 6.1 Information Security Infrastructure Management Commitment to Information Security County management should actively support security within the organization through clear direction, demonstrated commitment, explicit assignment, and acknowledgment of information security responsibilities County management should: review and approve information security policy; provide clear direction and visible management support for security initiatives; provide the resources needed for information security; approve assignment of specific roles and responsibilities for information security across the County; initiate plans and programs to maintain information security awareness; ensure that the implementation of information security controls is co-coordinated across the County; Information Security Co-ordination / Allocation of Information Security Responsibilities The ITS Director will be the focal point for all IT security related matters Departments should designate a security liaison to serve as the primary point of contact to the ITS Director Departments should implement additional procedures as necessary to meet County security requirements The security liaison should be responsible for ensuring their department s implementation of the Information Security Policies and Standards approved by the County Authorization Process for Information Security Facilities When approving new information processing facilities, the following issues (at a minimum) should be addressed: assessment of the ability of the new processing facilities to conform to existing security policies evaluation of the need for additional security measures and the impact of personal computing systems. 12

13 6.1.4 Confidentiality Agreements Confidentiality or non-disclosure agreements (NDA s) address the requirement to protect confidential information using legally enforceable terms. The following elements should be considered for inclusion in an NDA: a definition of the information to be protected (e.g., confidential information); expected duration of an agreement; required actions when an agreement is terminated; the permitted use of confidential information, and rights of the signatory to use information; the right to audit and monitor activities that involve confidential information; process for notification and reporting of unauthorized disclosure of confidential information; terms for information to be returned or destroyed at agreement cessation; and expected actions to be taken in case of a breach of this agreement Requirements for confidentiality and non-disclosure agreements should be reviewed periodically Independent Review of Information Security The County s approach to managing information security and its implementation (i.e., control objectives, controls, policies, processes, and procedures for information security) should be reviewed independently at planned intervals at managements initiation Such a review should be carried out by individuals independent of the area under review, e.g., the internal audit function or a third party organization specializing in such reviews. Individuals carrying out these reviews should have the appropriate skills and experience The results of the independent review should be recorded and reported to the management who initiated the review. If the independent review identifies that the organization s approach and implementation to managing information security is inadequate or not compliant with the direction for information security stated in the information security policy document (see 5.1.1), management should undertake corrective actions. 13

14 6.2 Security of Third Party Access Identification of Risks from Third Party Access All prospective third party agents must be provided with a copy of the County Information Security Policies and Standards by the contracting department, and be required to comply When third party agents have user accounts on County systems, they must observe the same standards as County employees When third party agents are working in a County environment without being directly supervised, County employees must be vigilant about logging off sessions, logging out or securing PC access, and keeping paper information properly discreet Stringent controls must be required on user accounts using remote login access. Where the third party access will involve a network-tonetwork connection, the use of a firewall is mandated Network connection ports should be monitored for unknown devices and unauthorized connections Security Requirements in Third Party Contracts When writing contracts with third parties to provide services that involve accessing County computing resources, the department involved bears the burden of ensuring that all relevant information security issues have been addressed Use of the Information Security Policies and Standards as a reference guide is mandatory. Provisions in the contract that require the third party to demonstrate their ability to meet the requirements of the Information Security Policies and Standards provide a basis of trust for further technical interaction When a third party service provider will be placing contract resources on County premises, the contract must reflect the acceptance by the third party of responsibility for the actions of its members When a service provider will be using a logical connection to County resources, the contract must reflect not only responsibility for the actions of the third party users, but also for the security integrity of any connected networks, systems or logons Security Requirements in Outsourcing Contracts Information security issues must be included or addressed in the contract as an expectation by the County that the provider will meet or exceed all of the policies stated within the County s Information Security Policies and Standards When engaged in agreements with outsourcing providers, wording related to security compliance verification must exist within the contract. 14

15 7.0 Asset Classification and Control 7.1 Accountability for Assets Inventory of Assets County equipment custodians must maintain perpetual inventory control, a record of the new location and new user of all equipment issued, and physical security over the equipment in their possession All County computer and communications equipment must have a unique identifier attached to it such that physical inventories can be efficiently conducted As hardware and software become out of date or no longer in use, they must be removed from the inventory lists in accordance with Administrative Directive PI All hardware and software must be procured according to Administrative Directive IT Ownership of Assets All information and assets associated with information processing facilities should be owned by a designated part of the County. The asset owner should be responsible for: ensuring that information and assets associated with information processing facilities are appropriately classified; defining and periodically reviewing access restrictions and classifications, taking into account applicable access control policies Routine tasks must be delegated, e.g., to a custodian looking after the asset on a daily basis, but the responsibility remains with the owner. 15

16 7.1.3 Acceptable use of Assets County information technology resources are provided to authorized users to facilitate the efficient and effective performance of their duties. The use of such resources imposes certain responsibilities and obligations on users and is subject to County policies. It is the responsibility of users to ensure that such resources are not misused. For details on acceptable use, refer to HR policy Departments may establish more stringent procedures consistent with this document and its associated standards The County reserves the right to retrieve and read any data composed, transmitted or received through online connections and/or stored on County equipment. 16

17 7.2 Data Classification Data Classification Guidelines All County information and information entrusted to the County from outside agencies falls into one of three sensitivity classifications: CONFIDENTIAL CONFIDENTIAL - This category includes protected health information (PHI) as defined by HIPAA, and similar information. Access to confidential information must be tightly controlled based on need to know. Except as specifically allowed by HIPAA and other federal and state laws, disclosure to other parties is not allowed, and may result in significant civil and criminal penalties. RESTRICTED This is the default classification for any information not specifically designated. Disclosure of restricted information could cause harm to the general health, safety and welfare of affected parties. This information should be disclosed to third parties only if reviewed by the appropriate body and, if approved for disclosure, a confidentiality or non-disclosure agreement has been signed. PUBLIC Examples include any data deemed applicable under the Florida Sunshine Laws. This information has been explicitly approved by the County as suitable for public dissemination Information Labeling and Handling For each data classification, labeling and handling procedures should be defined to cover the following types of activity: copying storage transmission by mail, facsimile or destruction of data Output from systems containing data classified as confidential should carry an appropriate classification label. The labeling should reflect the classification according to the rules established in

18 8.0 Human Resources Security 8.1 Prior to Employment Screening / Terms of Employment Job roles should identify the degree of access to County information systems and data in addition to normal roles and responsibilities Disciplinary or criminal procedures should follow the County s administrative regulations and criminal codes Background checks should be conducted as part of the initial employment process for employees who will be handling confidential data as described in section Managers and supervisors should develop procedures required for personnel that will be accessing confidential information Terms and conditions of employment should clearly define the employee s responsibilities for information security Employees who require access to confidential information should be required to sign a confidentiality or non-disclosure agreement when initially employed Third-party users who are not already covered by an existing agreement should also sign such agreements prior to being given access to County information. 18

19 8.2 During Employment Management Responsibilities Management should require employees and third party users to apply security in accordance with the County s Information Security Policies and Standards Management responsibilities should include ensuring that employees and third party users: are properly briefed on their information security responsibilities prior to being granted access to sensitive information or systems; are provided with guidelines to state security expectations of their role within the County; are required to fulfill the security policies of the County; achieve a level of awareness on security relevant to their roles and responsibilities within the County; comply with the terms and conditions of employment, which includes the County s information security policy Information Security Education and Training All employees should be trained in information security concepts. Each department should create procedures for training employees on securely accessing and using its information processing facilities All employees should be aware and remain vigilant for possible fraudulent activities. Well-defined procedures should be in place in order for employees to report incidents involving their personal accounts or the acts of others A process for reporting incidents and concerns should be communicated to all employees so they can communicate breaches and all other suspicious activities to the appropriate levels (see section 6.3.1) Users should be trained to be aware of security weaknesses and threats to all information processing and communications and the process to report them to the designated security liaison Users should note and report observed or suspected security weaknesses to systems and services. Users should not try to emulate the security breach or attempt to prove the threat as a test. Vendors and contractors who provide services to the County must agree to follow the applicable information security procedures of the department for which they work Disciplinary Process A formal disciplinary process should be followed to deter and discipline employees or third party agents who violate the County Information Security Policies and Standards. 19

20 8.3 Termination or Change of Employment Termination Responsibilities Responsibilities for performing employment termination or change of employment should be clearly defined and assigned Human Resources is responsible for the overall termination process and should coordinate with the manager of the person terminating to manage the security aspects of the relevant procedures Return of Assets All employees, contractors and third party users must return all of the County s assets in their possession upon termination of their employment, contract or agreement The termination process should be formalized to include the return of all previously issued software, County documents, and equipment. Other County assets such as mobile computing devices, access cards, software, manuals, and information stored on electronic media also must be returned In cases where an employee or third party user has knowledge that is important to ongoing operations, that information should be documented and transferred to the County Removal of Access Rights The access rights of all employees and third party users to information and information processing facilities must be removed upon termination of their employment, contract or agreement, or adjusted upon change Changes of employment (i.e., transfers) must be reflected in the removal of all access rights that were not approved for the new employment. 20

21 9.0 Physical and Environmental Security 9.1 Secure Areas Physical Security Perimeter A security assessment of all key information processing facilities should be performed to assess their physical security. Primary information processing facilities should be evaluated frequently, to include weekends and holidays Appropriate control mechanisms should be applied to prevent unauthorized access The preventive, detective and corrective physical security measures should be periodically tested and documented to verify the adequacy of their design and the degree of implementation and effectiveness Information processing facilities should be equipped with fire alarm systems Sections of secure facilities that provide access to input or output deliveries should be restricted with additional controls The computer center's physical address should be disclosed only to those having a need-to-know. No signs should indicate the location of an information-processing facility Directories and internal telephone books that identify locations of information processing facilities should not be readily accessible by the public To prevent unauthorized duplication and transmission of confidential information, all printers, copiers and fax machines that process such information should be located in secured areas. 21

22 9.1.2 Physical Entry Controls Where possible, and not deemed cost prohibitive, entry controls should identify, authenticate or monitor all access attempts to restricted areas within department facilities Access to any County data center, network operations center, telecommunications or other similar information processing facility should be restricted Access to any office, computer room or work area that contains confidential information should be physically restricted All visitors, including contractors and vendors, should be registered before accessing information processing facilities Visitors should be escorted by an ITS or County approved staff member when entering and exiting information processing facilities and be periodically monitored by an ITS or County approved staff member while on-site Confidential information, in either paper or electronic form, must be protected from unauthorized access and disclosure All entry logs should be secured and maintained Access rights to secure areas should be reviewed and updated regularly Obtain monthly reports OPS manager to review and update as necessary. 22

23 9.2 Equipment Security Equipment Location and Protection Production systems, including, but not limited to servers, network equipment and telephony systems should be located within a physically secured area To assure the uninterrupted service of critical production systems, management should provide security controls that monitor and alert appropriate personnel for fires, smoke, water, temperature and electrical effects Primary information processing facilities should include controls that monitor and alert appropriate personnel to humidity levels that are outside of acceptable range Management should restrict eating, drinking and smoking in the proximity of information processing equipment, except in designated areas Management should prohibit storage of stationery and other supplies posing a fire hazard inside information processing locations Equipment should be properly maintained in accordance with the manufacturer s recommended service intervals and specifications to ensure its continued availability and integrity Appropriate precautions should be taken when sending equipment offsite for maintenance, especially with regard to equipment that might contain confidential data Uninterruptible Power Supplies A risk assessment should be performed on critical equipment to determine the need for uninterruptible power supply equipment and the length of time outage protection is required UPS equipment should be monitored to ensure that it is functioning properly and has adequate capacity Back-up generators should be considered, if the risk assessment determines that processing is to continue in the event of a prolonged power failure Generators should be tested regularly in accordance with the manufacturers instructions Emergency power switches should be located near emergency exits in equipment rooms to facilitate rapid power down in case of an emergency Emergency lighting should be provided within the facility in case of a main power failure. 23

24 Lightning protection should be used where deemed appropriate following a risk assessment Secure Disposal or Re-use of Equipment Prior to disposal, media (floppy disks, CD s, DVD s, tapes, etc.) containing confidential information must be destroyed to render the information unrecoverable All hardcopy materials that contain confidential information must be shredded Removal of Property The use of any County-owned equipment outside of the County premises must be authorized by department management. The level of security provided must be at least equal to that of equipment used on-site. 24

25 10.0 Communications and Operations Management 10.1 Operational Procedures and Responsibilities Documentation of Operating Procedures Operating procedures for County information processing systems should be documented and authorized by management Documentation procedures should be prepared for the typical system maintenance activities associated with information processing and communications facilities Operational Change Control Responsibilities and procedures should be implemented to ensure satisfactory control of all changes to information processing systems, software, and procedures Segregation of Duties Care should be taken that no single person can perpetrate fraud in areas of single responsibility without being detected Separation of Development and Production Facilities When feasible, separation between production, development and test systems should be maintained to reduce the risk of unauthorized changes or access. 25

26 10.2 Third Party Service Delivery Management Service Delivery Ensure that security controls, service definitions and delivery levels included in the third party service delivery agreement are implemented, operated, and maintained by the third party Monitoring and Review of Third Party Services Monitoring and review of third party services should ensure that the information security terms and conditions of the agreements are being adhered to, and that information security incidents and problems are managed properly Managing Changes to Third Party Services Changes to the provision of services, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking into account the criticality of business systems involved. 26

27 10.3 System Planning and Acceptance Capacity Planning Information system managers should monitor resources to identify usage trends and changes to specific applications or systems Growth in system capacities should be projected to support new business requirements and to plan new applications System Acceptance Prior to the implementation of new or upgraded information systems, care should be taken to ensure that all requirements for acceptance have been met. Criteria should be clearly defined, documented and tested. 27

28 10.4 Protection Against Malicious and Mobile Code Controls Against Malicious Software Appropriate security awareness training should be utilized to ensure that users are aware of the dangers of unauthorized or malicious software Special controls that detect or prevent the introduction of malicious software should be introduced. Protection should be based on awareness, change management and system access controls Malicious Code When users are connected to the Internet, they should be educated on safe practices when using resources from the Internet Since systems are also a method of incursion for malicious code, containing binary attachments that are executable should not be opened unless the sender is known, the file is expected or the file screened through approved anti-virus software. 28

29 10.5 Housekeeping Information Back-up Routine procedures should be followed to implement back-up strategies Systems must be tested to ensure that all essential business data could be recovered following a disaster or system failure. 29

30 10.6 Network Management Network Controls Networks should be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit Network managers should implement controls to ensure the security of information in networks, and the protection of connected services from unauthorized access. In particular, the following items must be considered: operational responsibility for networks should be separated from computer operations where appropriate; responsibilities and procedures for the management of remote equipment, including equipment in user areas, should be established; special controls should be established to safeguard the confidentiality and integrity of data passing over public networks or over wireless networks, and to protect the connected systems and applications; special controls may also be required to maintain the availability of the network services and computers connected; appropriate logging and monitoring should be applied to enable recording of security relevant actions Security of Network Services Security features, service levels, and management requirements of all network services should be identified and included in any network services agreement The ability of the network service provider to manage agreed services in a secure way should be determined and regularly monitored, and the right to audit should be agreed. 30

31 10.7 Media Handling Management of Removable Media There should be procedures in place for the management of removable media. The following guidelines should be considered: if no longer required, the contents of any re-usable media that are to be removed from the organization should be made unrecoverable; where necessary and practical, authorization should be required for media removed from the County and a record of such removals should be kept in order to maintain an audit trail; all media should be stored in a safe, secure environment, in accordance with manufacturers specifications; information stored on media that needs to be available longer than the media lifetime should be also stored in order to avoid information loss due to media deterioration Disposal of Media When media is worn, damaged or otherwise no longer required, it should be disposed of in a secure manner. To prevent the compromise of confidential information through careless or inadequate disposal of computer media, formal procedures should be established for secure media disposal Information Handling Procedures Procedures for the secure handling and storage of County information are required to protect the information from unauthorized disclosure or misuse. Such procedures should be consistent with the type of information being processed Security of System Documentation Since the operational system documentation for County information systems may contain sensitive information, it should be protected from unauthorized access. 31

32 10.8 Exchanges of Information and Software Information and Software Exchange Agreements The exchange of protected or non-public information with other organizations should be based on a formal agreement that specifies the conditions and handling of the information (e.g., non-disclosure agreements) Security of Media in Transit Packaging should be sufficient to protect the contents from any physical damage likely to arise during transit and in accordance with manufacturers specifications Where necessary, special controls should be adopted to protect confidential information from unauthorized disclosure or modification. 32

33 10.9 Electronic Commerce Security Electronic Commerce The following security risks must be considered in the design of all e-commerce applications: vulnerability of messages to unauthorized access or modification potential exposure to denial of service attacks vulnerability to error impact of a change of communications media on business process legal considerations Publicly Accessible Systems The dissemination methods for County information classified as public should have, at a minimum, protection from unauthorized modification and denial of service attacks Consideration of security controls that should be applied to publicly available systems should include some or all of the following: information to be disseminated is classified in compliance with data protection legislation any information input to, and processed by, a public system, such as a request form, comment form, questionnaire, etc., should be processed completely, accurately and in a timely manner. confidential information must be protected during the collection process and when stored access to the public system does not allow unauthorized access to networks to which it is connected. County information classified as other than public should not reside on systems where public information is being served. information to be made available to restricted groups, such as employees, should be protected by appropriate security mechanisms. 33

34 10.10 Monitoring Event Monitoring All user initiated logon attempts to connect with County production information systems should be logged, whether successful or not Establish retention periods for logs. The length of retention should reflect the availability of resources and the need to track historical information Logs should be sufficient to meet the requirements of evidence collection Monitoring System Use The areas of concern for monitoring on any specific system should be established as the result of a risk assessment The log files produced by the monitoring systems should be reviewed on a periodic basis to determine if unauthorized activity has taken place The log files should be secured in such a way as to prevent unauthorized alterations Activity Logs Logs should be maintained and securely stored Logging should be used whenever possible for: system utilization system errors communication session statistics successful and unsuccessful logins Fault Logging Computer operations personnel who monitor system operations should maintain a fault log, ensuring that complete and accurate records of all system and service faults are maintained and that all faults are properly handled Where computer or network operations can be monitored by automated means, the automated fault logging capability should be enabled. 34

35 11.0 Access Control 11.1 Business Requirement for Access Control Access Control Policy All confidential information should be protected via access controls to ensure that it is not improperly disclosed, modified, deleted or rendered unavailable Information should be disclosed only to those people who have a legitimate business need for the information (i.e., "need to know") Access control procedures should control access based on the need to know A supervisor and/or manager should initiate the access approval process, and the privileges granted should remain in effect only until the employee s job function changes or the employee leaves the employment of the County All production information possessed by or used by a particular County unit should have a designated owner who is responsible for determining appropriate sensitivity classifications and criticality ratings, making decisions about who can access the information, and ensuring that appropriate controls are utilized in the storage, handling, distribution and regular usage of information The authority to grant access to County information should be provided only by the owner of the information or their designate Default access privileges should be set to deny-all prior to any specific permissions being granted Access to systems software utilities should be restricted to authorized users. For production computing resources, a change control process should be in place (See Section 10) Unless it has specifically been classified as public, all County information should be protected from disclosure. If non-public information is compromised or suspected of being compromised, the information owner and the appropriate security administration should be notified immediately. 35

36 11.2 User Access Management Access Authorization User IDs may be granted to specific users only when approved in advance by the user's management Prior to being granted to users, application system privileges should be approved by the involved application system owner Without specific written approval from the user s management, administrators should not grant system privileges to any user All users must have their identity verified with a user ID and a password issued by the appropriate authority prior to being permitted to use County computers and network resources County employees that require access to information systems and/or resources to perform their job role should be granted appropriate access based on approval Users are responsible for all activity performed with their personal user IDs User IDs must not be utilized by anyone but the individuals to whom they have been issued Users should sign (physically or electronically) a confidentiality agreement and an information system security agreement indicating that the user understands the conditions of access prior to being given a user ID that allows access to County systems All County information systems privileges must be promptly terminated at the time that a worker ceases to provide services to the County The user s immediate manager and/or supervisor should periodically reevaluate the system privileges granted to a user, to determine. whether currently enabled system privileges are still needed to perform the user's current job duties All production information system user IDs must have a linked password to ensure that only the authorized user is able to utilize the user ID User IDs should be linked to specific people, and should not be associated with computer terminals, departments, job titles, etc Anonymous user IDs (e.g., "guest") should not be allowed unless approved in advance by the application system owner Management should promptly report all significant changes in end-user duties or employment status to the appropriate security administrator handling the user IDs of the affected persons. 36

37 Privilege Management Users should be allocated privileges with the minimum access required for their job function on a need-to-use basis Management should define user privileges such that unauthorized users cannot gain access to, or otherwise interfere with, either the individual activities or the data of other users All user ID creation, deletion and privilege change activity performed by systems administrators and others with privileged user IDs should be logged and periodically reviewed Special access privileges, such as the ability to examine the files of other users, should be restricted to those directly responsible for system management and/or information security Password Management Systems Within any specific computing environment, the ability of general users to access any files containing passwords must be restricted Review of User Access Rights User access rights should be reviewed periodically (see section , Access Authorization) Authorization for special privileged access rights (see , Privilege Management) should be reviewed on a periodic basis Management and security administration should conduct periodic checks on privileges granted each user to ensure that unauthorized access has not been obtained. 37

38 11.3 User Responsibilities Password Use Users should use good security practices in the selection of use of passwords All System -level passwords (e.g., root, NT admin, application admin accounts, etc.) should be changed on at least a quarterly basis, except where the application or device has limitations which preclude the password being changed that frequently. The frequency with which those passwords are changed should take into account the risk involved should the password be compromised User accounts that have system-level privileges granted through group memberships or programs should have a unique password from other accounts held by that user Passwords should not be inserted into messages or other forms of electronic communication Where possible, users should not use the same password for different County access needs A separate password should be selected to be used for operating system accounts. The exception to this is where a Single Sign On system may control multiple systems Users must not share County passwords with anyone, including administrative assistants or tech support Users should not write passwords down and store them anywhere in their office or store passwords in a file on any computer system (including PDA s or similar devices) without encryption Users should not use the "Remember Password" feature of applications If an account or password is suspected of being compromised, the incident must be reported to the appropriate department security liaison and the user should immediately change the password Users should refuse all offers by software and/or Internet sites to automatically login the next time that they access those resources Temporary or first use passwords should be changed the first time that the authorized user accesses the system If users need to share computer resident data, they should use approved network services or any other mechanisms that do not infringe on any policies Application developers should ensure their programs contain the following security precautions: applications should support authentication of individual users, not groups applications should not store passwords in clear text or in any easily reversible form 38

Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

Management Standards for Information Security Measures for the Central Government Computer Systems April 21, 2011 Established by the Information Security Policy Council Table of Contents Chapter 1.1 General...

Information Security Policy Revised: September 2015 Review Date: September 2020 New College Durham is committed to safeguarding and promoting the welfare of children and young people, as well as vulnerable

Management Standards for Information Security Measures for the Central Government Computer Systems April 26, 2012 Established by the Information Security Policy Council Table of Contents Chapter 1.1 General...

Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

Introduction This tool is designed to cover all the relevant control areas of ISO / IEC 27001:2013. All sorts of organisations and Because it is a general tool, you may find the language challenging at

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information

Comparison of Controls between ISO/IEC 27001:2013 & ISO/IEC 27001:2005 Introduction The new standard ISO/IEC 27001:2013 has been released officially on 1 st October 2013. Since we understand that information

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,

Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

Written Information Security Plan (WISP) for HR Knowledge, Inc. This document has been approved for general distribution. Last modified January 01, 2014 Written Information Security Policy (WISP) for HR

Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

A.R. Number: 2.6 Effective Date: 2/1/2009 Page: 1 of 7 I. PURPOSE In recognition of the critical role that electronic information systems play in City of Richmond (COR) business activities, this policy

INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow

AU7087_C013.fm Page 173 Friday, April 28, 2006 9:45 AM 13 Access Control The Access Control clause is the second largest clause, containing 25 controls and 7 control objectives. This clause contains critical

Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course Rules of Behavior Before you print your certificate of completion, please read the following Rules of Behavior

Security Compliance Assessment Checklist ITO Security Services January 2011 V0.2 Intro This checklist is used to evaluate project compliance with the Government of Saskatchewan IT Security Standards 2010.

Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers

HIPAA Policy 2014 The Health Insurance Portability and Accountability Act is a federal law that protects the privacy and security of patients health information and grants certain rights to patients. Clarkson

Client Advisory October 2009 Data Security Law MGL Chapter 93H and 201 CMR 17.00 For a discussion of these and other issues, please visit the update on our website at /law. To receive mailings via email,

Summary of CIP Version 5 Standards In Version 5 of the Critical Infrastructure Protection ( CIP ) Reliability Standards ( CIP Version 5 Standards ), the existing versions of CIP-002 through CIP-009 have

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.

HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors

I SECTION ONE COVERED ENTITY RESPONSIBILITIES AREA ONE Notice of Privacy Practices 1 Is your full notice of privacy practices given to every new patient in your practice at the first encounter or episode

I II Compliance Compliance I Compliance II SECTION ONE COVERED ENTITY RESPONSIBILITIES AREA ONE Notice of Privacy Practices 1 Is your full notice of privacy practices given to every new patient in your